rprf Menu

About

Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

April 3, 2017

Governance Down Under

When I was a product manager responsible for faster ACH, I had a ringside seat to the lengthy maneuvering required to garner sufficient votes to mandate same-day ACH after the first attempt failed. We can anticipate similar maneuvering as we continue making fundamental improvements to payments, including the various initiatives under way around faster payments.

All of this harkens back to a compelling conference presentation that treasury representatives of a very large U.S. retailer gave several years ago. That presentation focused on the potential benefits of adopting a comprehensive, self-regulating governance model like Australia's. The Australian Payments Clearing Association (APCA) offers key payment stakeholders a seat at the table, thus balancing competing interests among parties in the payment chain.

I agree that the APCA could offer a template for any governance model being contemplated in the United States.

The APCA, to paraphrase, characterizes itself as being responsible for managing and developing regulations, procedures, policies, and standards governing payments clearing and settlement. Standing with and behind them is the authority conferred by the Reserve Bank of Australia (RBA), that country's central bank.

The 100-plus APCA members include a broad cross section of financial institutions, major retailers, and payments providers. The APCA board comprises an independent chair, the chief executive officer, two additional independent directors, eight nonvoting appointed or elected directors, and an RBA representative.

The expected completion later this year of a new payments system will be one of the APCA's more noteworthy achievements. The New Payments Platform, or NPP, will offer a low-value, faster payments service. The APCA partnered with 12 financial institutions to fund the NPP's development costs.

The APCA is divided among the following operational areas:

Checks

Direct debit/credit—is equivalent to ACH in the United States

Wire transfers

Cash—sets rules for the exchange and distribution of cash among participating financial institutions

Here in the United States, the Federal Reserve has already created a couple of agencies with some similar features: a task force on faster payments and another task force focused more broadly on secure payments for legacy and emerging payments. Both task forces include broad representation from financial institutions, payment providers, businesses, consumer groups, regulators, law enforcement, and others. Perhaps the biggest difference between the APCA and these two work groups is the ad-hoc, limited duration of the Fed groups and their mandate, which is limited to an advisory role. But there are some other activities that the APCA handles that here in the United States are handled by various disparate entities, a situation that hampers coordinated action.

What are your views on what, if anything, we should do to enhance payments governance in the United States?

By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Hi, thanks for the complements about our country's payment landscape. However, you seem to have the idea that the New Payments Platform grew organically out of altruistic efforts by the APCA. It didn't quite happen like that..

In 2007, BPAY (The bill payment platform opeartor) together with the major Australian banks tried to develop another platform called MAMBO (Me and My Bank Online) which would provide more account portability and faster payments. However, due to delays and increasing costs, several banks pulled out and the project was cancelled in 2011.

Then in 2012 the Reserve Bank of Australia demanded that they develop a real time payments platform by 2016, so they got together again and came up with the New Payments Platform, and although it will be a year late (expect late 2017), things are looking good.

One other takeout is that ANZ Bank's deputy CEO Graham Hodges said that MAMBO probably would have worked if it was built by a single bank rather than by a congress of institutions (source: ZDNet article). The NPP is being designed and built by SWIFT.

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

January 30, 2017

Pssst…Have You Heard about PSD2?

No, I'm not talking about the latest next-generation video gaming console. I am referring to the revised Directive on Payment Services (PSD2) that the European Parliament adopted in October 2015 and that will serve as the legal foundation for a single market for European Union (EU) payments. The original PSD was adopted in 2007 but, according to official statements, the Parliament found that an update was necessary to incorporate new types of payment services, improve consumer protection, strengthen payment transaction security, and increase competitiveness with an expected result of lower consumer fees in the payments processing market. PSD2 applies only to digital payments and must be in force in all EU countries by January 13, 2018.

The directive and subsequent implementation rules that the European Banking Authority* is developing make a number of major changes in the European banking landscape, including:

Opens up the regulated financial services system to merchants and processors who might initiate payments on their consumer customer's behalf as well as data aggregator firms. In particular, PSD2 will apply to any financial institutions already operating within the scope of the PSD but will also apply to third parties such as operators of e-commerce marketplaces, gift card and loyalty plans, bill payment service providers, public communication networks, account access services, mobile wallets, and those who receive payment by direct debit.

Requires financial institutions, upon the request of their customers, to allow these approved nonbank, third parties significant, but not unlimited, access to the customer's account and transaction data through APIs (application program interfaces). Many financial institutions see having to turn over customer data to potential competitors as a significant threat to the retention of their customer's business as well as concerns with data security.

Sets out two-factor customer authentication as an absolute minimum, with additional security such as one-time passwords required for higher-value transactions. The card issuer must actively authenticate all transactions above 10 euros. Critics of these provisions point out that the criminals will have fixed transaction amounts and authentication methodology information to modify their attacks.

Supplementing card interchange limits imposed in December 2015, prevents merchants from adding surcharges to payment card transactions. Under the original directive, each country established rules regarding surcharging on card payments. It has been a common practice of European merchants to levy a surcharge on payment card transactions to offset the interchange fee paid to issuers.

While such a comprehensive single package of regulations is unlikely to occur in the United States, various flavors of these items have been and continue to be discussed. Do you favor such types of regulation here in the United States? I suspect the answer depends on your role in the payments ecosystem. I am interested in hearing from you.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

October 6, 2014

Starting Off on the Right Note with Mobile Enrollment

In Rogers and Hammerstein’s Sound of Music, the classic song “Do-Re-Mi” begins “Let's start at the very beginning / A very good place to start...” Such a suggestion is essential in ensuring that the person enrolling in a payments system is, in fact, who he or she claims to be. The USA Patriot Act requires financial institutions (FIs) to develop a formal customer identification program that validates the customer when the account is opened. This program must specify the documentation that is used for authentication.

However, once the account is open, FIs have greater latitude in their procedures for identifying customers when the FIs handle account access requests, such as when a customer requests a change of address or enrolls in a third-party program that uses a card that the FI has issued to the customer. At that stage, it’s up to an FI’s own risk-management policies as to what documentation to require.

This situation can be risky. For example, let’s look at what happens when a customer wants to add a payment card to a mobile wallet that a third party operates. When the customer adds the card—enrolls with the third party—how can the FI that issued the card know that not only the payment card being added but also the mobile phone itself belongs to the right individual? How can the issuer efficiently and effectively ensure that the payment card information being loaded on a phone hasn’t been stolen? Adding any sort of verification process increases the friction of the experience and can result in the legitimate user abandoning the process.

Most mobile wallet operators use several techniques to validate that both the mobile phone with the wallet and the payment card belong to the rightful customer. (These operators send a request to the issuing FI as part of their enrollment process.) Some FIs require the operator to have customers submit their payment card information along with their cards’ security code and additional data, such as the last four digits of the social security number. Others may require just the payment card number, expiration date, and card security code, although such a minimal requirement offers little protection against a stolen card being added to a criminal’s phone. Still others require the customer to submit a photo of the payment card taken with their phone to verify possession of the card. If the issuer can obtain some of the phone’s device information, it can increase the level of confidence that the authorized cardholder is using their phone.

Regardless of what process is used, having strong identification controls during the initial enrollment step is essential to a sound risk management program.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

February 21, 2012

Security in the mobile wallet: Is it good enough yet?

For years we've heard about the future mobile wallet—using the phone to carry payment cards, loyalty rewards, bank account access, and identification instead of a traditional leather wallet. The wallet will also be able to hold electronic receipts for purchases made using the phone at a merchant's point of sale. 2012 portends to be the year of reckoning, with several trials scheduled for rollout. If your wallet resembles the one in the Seinfeld episode about George Costanza's exploding wallet, an electronic wallet contained in your mobile phone is a welcome prospect.

But the truth is that while recent developments in the application of near field communication (NFC) technology for mobile wallet trials have come faster than most industry expectations, a variety of hurdles are likely to waylay widespread adoption in the near term; namely, hurdles relating to security.

Different security deployments for mobile wallets may postpone widespread adoption
While, as noted in our 2011 mobile industry position paper, firms engaged in rolling out new mobile payments services have agreed that successful near-term adoption will rely on common standards for security and interoperability, free market dynamics dictate that all players in this new mobile ecosystem will not necessarily work together, motivated instead by a responsibility to create shareholder value. As a result, current industry discussions show that the service providers—namely, the mobile operators and the financial institutions partnering in these new business models—are considering different security deployments.

A recent article by Dan Balaban in the February 13 issue of NFC Times summarizes the situation well:

"While mobile operators continue to push for the SIM card to become the de facto secure element in NFC phones, some banks and other service providers still are seeking alternatives. The products that continue to draw the attention of a number of banks include microSDs, as well as iPhone attachments—the latter using either microSDs or embedded secure chips as secure element. Of course, there are no strong signals yet that microSDs, either as part of phone attachments or working in full NFC handsets, will challenge SIM cards or embedded chips as the primary secure element in contactless-mobile phones. At present, the microSDs generally carry higher costs, face logistical problems and still lack standards."

It stands to reason that a lack of standards in security can threaten consumer trust when something goes wrong, as we saw this week with the Google Wallet, the first U.S. mobile wallet deployment to date. Google has stopped activating new prepaid accounts in its mobile wallet after discovering a security flaw that allows unauthorized users to access the prepaid account without requiring a PIN. While the flaw is related more to the wallet application than to the security technology in the chip used to store data in the handset, the negative press from the event may impact consumer adoption for other mobile wallet trials scheduled to rollout in 2012.

Security standards for mobile apps may lag development cycle
According to ViaForensics, the lack of standards for mobile application security may challenge application testing methodologies. In fact, a February 13 post on ViaForensics' blog asserts that "...the speedy mobile development cycle and this lack of experience in the platforms is causing coders to throw all of those secure development principles the industry has fought for over the past five years right out the window when it comes to mobile apps..." While attention to security for mobile applications is evolving, ViaForensics's recent study found that financial services applications had the largest percentage of apps that passed their security tests.

Regulatory considerations for financial institutions
In most developed countries, such as the United States, mobile financial services are deployed in bank-led service models, partnering with the mobile telecom operators. A recent article published by the Federal Deposit Insurance Corporation, "Mobile Banking: Rewards and Risks," aptly notes that any financial service provider that engages a third-party service provider such as a telecom firm is expected to conduct appropriate due diligence to ensure they are working with reliable and reputable vendors to develop secure applications. Regulators will look to financial institutions to make sure their mobile services partners are fulfilling meeting the terms of third-party agreements with respect to application and device security.

Widespread adoption may occur gradually
While stakeholders develop common standards for device and application access, and data security, it may take a while for mobile wallets to become commonplace. Reported security mishaps may be beneficial, in the end, if they serve to temper consumer adoption while financial institutions and their mobile services partners work to identify and manage potential security issues.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

December 5, 2011

The future of mobile payments

Although mobile payments have been much slower to develop in the United States than many industry observers had predicted, there have been a number of encouraging recent developments. Starbucks, for example, has processed more than 20 million mobile payments since launching its app, and the Chicago Transit Authority's new fare collection system will be able to accept mobile payments starting in 2013. Still, despite these small successes, the United States has not seen the mobile phone really take off as a vehicle for point-of-sale payments.

The Retail Payments Risk Forum takes an active interest in mobile payments. For the past few years, we have gathered together key industry stakeholders to promote dialogue about barriers to adoption and reach a collective understanding about the state of the industry. Forum members have recently published a paper describing the views of these stakeholders and outlining the necessary elements of a successful mobile payments system.

The Retail Payments Risk Forum recently interviewed David Evans, a payments industry consultant and the founder of Market Platform Dynamics, in a podcast exploring some of the challenges facing widespread mobile payments adoption. Evans maintained that a couple of obstacles have kept mobile payments from taking off in the United States. "Barrier number one is that there is not a very persuasive mobile payments alternative for consumers to use at the point of sale, and the second is that there's really not the technology at the point of sale capable of processing a mobile payments-type transaction."

In addition to these barriers, he said, is the simple fact that most consumers are satisfied with the way things are. Evans explained, "I can pull out a credit or a debit card at the point of sale, I can swipe it, and it works beautifully. Takes about a second. No fuss, no muss—the clerk knows what to do. The technology is all there. So we have this wonderful system that works really well right now that's extremely efficient." To change the status quo, a compelling value proposition must emerge for all parties. "Someone's going to have to come up with a really great alternative that adds value to the merchant and adds value to the consumers to make both of them want to do something different than [what] they are currently doing," said Evans.

Regarding the prospects for mobile payments outside the United States, Evans said, "I think that where we are going to see mobile payments take off around the world is primarily in countries that do not already have a very well-developed payment card industry with acceptance at the point of sale and that have very well-developed mobile phone systems."

The role of different types of market players has been a major source of debate among those forecasting mobile payments. Many disagree how the mobile carriers, such as Verizon and AT&T, will fit into the new landscape. Evans predicted that "the likely role of the carriers in payments is basically being a pipe." He stressed that mobile carriers do not have the expertise to operate mobile payments and are more likely to become pipes for others who will develop mobile payments alternatives.

When asked about his predictions about the type of technology that will ultimately support mobile payments, Evans said that it was still too early to know. However, he did say that "it's really the solution that is going to drive the adoption of a particular acceptance technology at the point of sale, rather than the acceptance technology driving the solution." There are clearly still a lot of unknowns with regards to mobile payments, and Evans wisely concluded that "we should talk about this in 10 years when we may actually know the answer!"

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

TrackBack

Comments

I completely agree with Evan's statement: Someone's going to have to come up with a really great solution that adds value to the interaction. The majority of consumers are not going to adopt mobile payments because it's cool to pay for something with your smartphone. Early adopters will, but the rest of us won't. We will adopt mobile payments when it is clearly more valuable (more convenient, more fun, etc).

I think a good example of this is Square's Card Case mobile payment app which allows consumers to pay for stuff through their Square account without ever taking the phone out of their pocket.

To read more about this, you can check out my blog post on the subject here: http://www.zootweb.com/blog/index.php/mobile-disruptive-innovation/756/

I fully agree with Mr Evans - it will take something really ground-breaking to change the way we pay for our shopping. None of the alternatives being proposed or in some cases rolled out right now seems to have what is takes to stop us from using cash and cards in most transactions.

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

November 28, 2011

Portals and Rails welcomes new director of Retail Payments Risk Forum

On August 31, we said farewell to our director, Rich Oliver, when he officially retired from the Retail Payments Risk Forum after 38 years with the Federal Reserve. With his many accomplishments and significant contributions to the Fed, to the Forum, and to research in the payments industry, Rich left behind some pretty big shoes, and we've been looking for someone to fill them. Well, we've found someone more than capable of walking in these shoes, and we'd like to invite you to join the Portals and Rails team in welcoming the Forum's new director, Mary Kepler. On December 1, Mary will step into her new shoes—uh, role—overseeing the Forum and maintaining District and System-level relationships with industry executives and organizations in the payments arena and in payments risk and fraud prevention.

Now, we're not to going to divulge Mary's shoe size, because we're really only speaking metaphorically here and would never comment on anything so personal in such a public forum, but we can tell you about Mary's path that has brought her to us. She certainly comes to her new position with a variety of relevant experience, most recently as the vice president of Financial Management and Planning (FM&P) here at the Atlanta Fed.

Mary originally came to the Atlanta Fed in 1992, moving from the Kansas City Fed, so she has a long history with us. She joined the Atlanta Fed in Supervision and Regulation department and was soon promoted to relationship manager with the AmSouth Bancorporation. In 1998, she moved to the automation operations department, where she was assistant vice president until 2002, when she became vice president. Mary joined the Retail Payments Office in 2003 and for two years served as the Federal Reserve System liaison to the U. S. Treasury Department for retail payment services that the System provides to the U.S. Treasury.

From 2005 to 2006, Mary was senior human resources officer. She chaired the Bank's Human Resources Committee and was an advisor to the Bank's Management Committee. She then became senior officer over FM&P.

As you can see, Mary comes to the Retail Payments Risk Forum well qualified. We look forward to embarking on this next phase of our journey under her capable, proven leadership.
So please help us congratulate Mary on her new position, wish her continued success, and tell her she wears her new shoes well.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

November 7, 2011

International Fraud Awareness Week is here

According to the Association of Certified Fraud Examiners (ACFE), organizations worldwide lose roughly 5 percent of annual revenues to fraud. That's huge. A theme that we return to again and again in Portals and Rails is the fact that technology is making our lives—including the ways we transact consumer payments—more efficient and secure. But these new technologies also offer fraudsters new and sometimes better ways to perpetrate crime.

In an effort to promote fraud awareness and education, starting November 7, the ACFE is sponsoring International Fraud Awareness Week, a "time dedicated to fraud awareness, detection, and prevention." So in keeping with this theme, we are using this space to refocus on some of the issues around payments fraud in the United States.

U.S. payments fraud is on the rise but hard to measure
Unlike other countries, the United States does not have a single, uniform repository for collecting fraud loss data. Industry analysts primarily base their concerns about the industry on anecdotes from law enforcement, financial intelligence agencies, and regulators. In addition, recent media accounts of check fraud, corporate account takeovers, payment card breaches, card payment terminal skimming, and the like leave no doubt that in the retail payments arena, leave no doubt that the problem of fraud is universal and growing.

Also validating the growing concern are proxies such as fraud surveys from organizations like the American Bankers Association (ABA), which measures deposit account fraud in banks, and the Association for Financial Professionals, which works with corporations to measure their fraud loss experience. However, more information may be needed as payment systems grow more complex, provide new alternative solutions and access new electronic channels.

Internal fraud is growing globally
The global economic downturn has led to an increased incidence of payments fraud. Sometimes financially distressed employees—rationalizing their behavior in light of dire circumstances—commit frauds within a business, effectively stealing from their employers. For example, employees in financial institutions who have access to large amounts of customer data may use their insider access to commit fraud. In one of our podcasts, an expert noted that internal fraud is more growing more common—and complex—as criminal rings increasingly place their people within legitimate organizations, where they can then steal data. Once they have the data, they can use it to commit a variety of frauds, including identity theft and payment crimes, such as card counterfeiting and counterfeit checks, to name just a few.

Fraud awareness week highlights old-school solutions
The International Fraud Week web page highlights resources for fraud prevention and education that businesses and consumers can tailor to their own particular needs. For example, the site offers a link to a Fraud Prevention Check-Up, which provides a framework for business to assess their risk and evaluate the strength of their fraud mitigation environment. Another anti-fraud resource is a presentation with tips to help organizations prevent and detect fraud.

To that same end, Portals and Rails in an earlier blog offered a recommendation for businesses to be proactive by adopting relatively simple control processes. For example, basic checklists like the one that follows can help organizations comply with ACH rules and regulations, avoid human error, and reduce fraud.

International Fraud Awareness Week activities
To help raise awareness around fraud, the ACFE recommends that businesses participate year round in its blog and in other social media initiatives, such as forums for dialoguing and sharing ideas on fraud detection and mitigation. It also suggests that organizations spread the word to colleagues and clients about International Fraud Awareness Week and the resources available to promote strong fraud risk management program development.

One thing we know for certain, and can't say enough, is that our payment systems are growing more and more complex, in terms both of sophisticated technologies and of multiple new nonbank service partners entering the mix. With this constant change and development, the payment distribution chain will undoubtedly contain more points of potential vulnerability to risk and fraud. Taking basic preventive measures and increasing industry awareness through the activities and resources highlighted during International Fraud Awareness Week can go a long way to combating payment-related risks and fraud.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

October 24, 2011

Keeping pace as money transmitters proliferate

As the United States migrates from paper-based retail payments to electronically enabled methods, we are witnessing a proliferation of entrepreneurial and innovative nonbank stakeholders entering the retail payments market. As my colleague discussed in a previous post, these nonbanks provide a variety of services that banks can use to create more efficient payment systems. But the fast pace of technological change and the ease with which these new companies can enter the retail payments arena may also be translating into new risk vulnerabilities for the nation's retail payments systems.

There are many different types of nonbanks in U.S. payments systems today, including technology developers, aggregators, agents, third-party service providers, and money service businesses (MSB) and transmitters. As technology enables more nimble and innovative payments, the role of MSBs and, in particular, money transmitters is growing more important.

Am I an MSB?
According to this table from the Financial Crimes Enforcement Network (FinCEN), certain products or service offerings may dictate the capacities in which a business might fit the definition of an MSB. Note that money transmitters represent a specific type of MSB that engages primarily in funds transfer services.

The innovations that PayPal introduced illustrate the value that transmitters add to the payment system through the provision of nimble service offerings that respond to consumer payment needs. Over time, PayPal has evolved into a mainstream payment service provider and household name, and has demonstrated a commitment to risk management and regulatory compliance across all the jurisdictions in which it operates. But PayPal's commitment contrasts with the overall state of the industry of MSBs, whose efforts are not completely transparent. MSBs and transmitters today operate in a fragmented regulatory environment determined by the specific governing laws, licensing requirements, and permissible business activities of each U.S. state.

As money transmitters become more prevalent players in our nation's payment system, is it time to reassess their regulatory environment and consider the potential benefits of a national supervisory framework?

Transmitters and the U.S. regulatory structure
Money transmitters are required to register with FinCEN and to comply with federal laws for anti-money-laundering and counterterrorist-financing provisions of the Bank Secrecy Act. In addition, 48 states require the licensing of money transmitters before they can do business. For money transmitters that operate in more than one state and across state lines, differences in state legal requirements create challenges to developing effective enterprise-wide compliance and risk-management programs. Furthermore, monitoring changes in various state legal regimes can be extremely complicated, not to mention costly.

Ironically, state regulatory authorities governing money transmitter businesses are generally budget-strapped in today's economically distressed environment, and lack the financial resources for taking action against all but the most egregious of bad actors. Unlike the prudential regulatory governance employed by the agencies of the Federal Financial Institutions Examination Council for the nation's mainstream financial institutions, regulatory response for the oversight of money transmitters is prompted instead by complaints to state authorities, or by the filing of suspicious activity reports to FinCEN.

Future regulatory considerations
There are many risks to consider in this nascent segment of the retail payments industry. With the ease of entry into the market for money transmitters and the potential lack of funding in some states for comprehensive regulatory oversight, some startups may circumvent licensing and capital requirements by merely opening for business, undetected by state authorities. FinCEN has issued advisories requesting that financial institutions that discover such businesses file suspicious activity reports (SARs) as a means of mitigating unlicensed and potentially illegal activity. Unfortunately, as technology supports more sophisticated advancements in electronic payments as well as new alliances between carriers and money transmitters, regulatory efforts will become increasingly difficult.

The newly established Consumer Financial Protection Bureau is empowered to exercise enforcement authority for improper conduct on behalf of money transmitters, but the task is daunting, considering the disproportionate state-by-state regulatory framework currently in place. Is it time to consider a more consistent, national approach to the legal and regulatory oversight of money transmitters? And, considering the onerous compliance costs that the current environment imposes, would money transmitters in fact welcome a more consistent, uniform environment?

TrackBack

Comments

You are right to ask the question Cindy. A national framework that works to separate payments and other banking businesses ought to be a straightforward first step toward a more efficient payment sector. Innovation in the "money transmitter" segment should be decoupled from the areas of systemic risk (eg, credit creation).

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

October 17, 2011

As payments system evolves, "funny" money is still no laughing matter

Counterfeit money in the United States has been in circulation since colonial America. During the Revolutionary War, counterfeiting of Continental American money became so rampant that the currency became worthless. Hence, the phrase "not worth a Continental" was born. Counterfeiting continued after the country's independence from the British, so the government established the U.S. Secret Service in 1865 to suppress it. It was only later that the agency was also tasked with the highly visible and publicized mission of protecting national leaders, most notably the president, and visiting foreign leaders.

Since the establishment of the Secret Service, payment types have advanced from paper bills to checks and card-based payments. Alongside the advancement of our nation's payment methods, the security features of each payment type are evolving to combat attempts at counterfeiting. Yet today, 111 years after the Secret Service was established, counterfeiting remains a threat to the U.S. payments system. This blog examines the security technological advances currently deployed and those in development to fight counterfeiting schemes in consumer payments.

Counterfeit currency
In 1865, approximately one-third of all currency in circulation was counterfeit. Today, counterfeit currency is estimated to represent only 3/100ths of 1 percent of total currency—yet the crime of counterfeiting currency remains popular. According to its Fiscal Year 2010 Annual Report, the Secret Service made more than 3,000 domestic and international arrests for counterfeiting offenses in 2010, resulting in the removal of more than $261 million in counterfeit currency from circulation. This amount is an increase of more than 150 percent from the 2008 level of $103 million. Continued advancements in computer and printing technologies aid counterfeiters in producing hard-to-detect counterfeit bills. It is also important to note that counterfeit bills do not have to be perfect. These bills just need to be good enough for the counterfeiters to exchange once to another party to be deemed successful.

To mitigate the production of counterfeit currency and to help detect it, the U.S. Department of the Treasury constantly enhances paper currency's security features. Newer features such as color-shifting ink, watermarks, and security threads have made paper currency more difficult for criminals to counterfeit accurately.

Counterfeit checks
Much like paper currency, checks became an important payment instrument in the United States following the Revolutionary War. And as is the case with paper currency, checks are also a common target for counterfeiters. Even as check usage continues to decline, check fraud continues to increase and remains one of the largest threats to businesses today, according to the 2011 AFP Payments Fraud and Control Survey: Report of Survey Results. Also according to this report, the counterfeiting of nonpayroll checks using an organization's MICR line data remains the most widely used technique to commit check fraud.

Counterfeit cards
Since the first credit card was introduced in the United States in 1958, card-enabled debit and credit payments have become many consumers' preferred payment methods. But just as payments migrated from paper to electronic methods such as debit and credit cards, counterfeiting fraud schemes have shifted from paper as well. Today's payments fraud-related headlines are flooded with stories of card-skimming schemes to produce counterfeit cards. Fraudsters are using skimming devices on point-of-sale (POS) terminals and at ATMs to capture card numbers. As my colleague Cynthia Merritt previously discussed in an earlier post, these skimming devices are becoming more sophisticated. According to Verizon's 2011 Data Breach Investigations Report, tampering of ATMs and POS terminals accounted for 98 percent of physical data breaches in 2010. The report notes that these tampering attacks, which have been occurring for years, are on the rise.

Despite the continued evolution of payment types and their corresponding security features, counterfeiters persist in finding ways to harm the payments system, regardless of payment type. Although the industry can and should strive to eliminate the success of counterfeiters, history shows us that the task is all but impossible. It will be very interesting to see the effect that new security enhancements as they develop will have on counterfeiting trends in the United States. For me, I am eagerly anticipating the effect that dynamic data chip-enabled transactions will have on the skimming and counterfeiting of payment cards should the industry adopt the technology.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

October 11, 2011

High-impact events in a warming world: Business continuity planning for retail payments

Which will be the first to reopen after a major disaster: your financial institution or the local Waffle House? In some cases, you may be able to order your hash browns smothered, covered, peppered, and chunked before electricity is restored to your usual ATM. The breakfast chain invested heavily in crisis management planning following Hurricane Katrina, and today is recognized as one of the most responsive American companies to disasters. Whether the move was more about building goodwill and trust among customers or about profitability, the underlying operational risk management principles Waffle House employed apply equally to financial institutions and third-party payment processors.

Appropriate operational risk management for any organization includes business continuity planning for even unlikely disasters. In fact, this year's extreme weather highlights the need to prepare for even low-probability but high-impact events. In February, unprecedented snowfall blanketed Chicago. Record numbers of tornadoes ravaged the Southeast this April. Floodwaters swelled the Mississippi River to a new high in May. Just last month, historic flooding menaced the Northeast. Such disastrous weather leads not only to evacuations, grounded flights, and missed school days, but also could affect the ability of banks to maintain retail payment systems. Tellers may not be able to make it into branches to accept deposits and process withdrawals. Flooding can damage ATMs and the cash and checks they contain. Tornadoes may wreck back office processing centers or knock out the electricity and network connectivity critical for clearing and settling transactions on time.

Evidence indicates that global warming is causing an increase in extreme weather. Apart from being frightening, greater volatility in the weather requires a different approach to business continuity risk assessments. And this instability makes it difficult or impossible to determine the actual likelihood of a disruption. As part of a lessons-learned debriefing from Hurricane Katrina, the Federal Financial Institutions Examination Council emphasized that preparing for just this kind of disaster is critical. The agency's advice is to focus on potential outcome, not probability, in assessing business continuity plans:

The impact rather than the source of the threat should guide the development of disaster recovery and business continuity plans.... However, every threat that could pose a high adverse impact generally warrants further consideration regardless of its probability of occurrence.

The Bank for International Settlements has recognized the importance of business continuity planning for the financial services industry, so in 2006, it came out with seven high-level
principles that can serve to direct financial institution and payment processor risk management efforts. These principles underline the importance of explicitly considering and preparing for major disruptions and acknowledge that such disruptions are occurring with increasing frequency. They also advise clear and regular communication with affected parties internal and external to the affected business, and note that ultimate responsibility for operational risk rests with senior management and the board of directors of the organization. Once implemented, plans should also be periodically tested and refined as necessary.

In a world that isn't always predictable, strong business continuity plans hinge on making sure businesses are ready for the unexpected. The mission-critical nature of retail payments should challenge financial institutions to be at least as prepared as the local diner.

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.